A recent VA Office of Inspector General (OIG) audit of the information security program and practices at the Bedford VA Healthcare System in Massachusetts found several issues with life-cycle management of network devices.
OIG audit reports provide a glimpse into the types of IT security weaknesses that many health systems encounter. Network device life-cycle management is one of those, as well as deployment of security patches and system upgrades.
The OIG inspection team noted that about 87 percent of the Bedford VA Healthcare System’s network devices used operating systems that did not meet baseline security requirements.
Further, 4 percent of these network devices were at the end of their useful life and no longer received maintenance support from the vendor. There were 12 vulnerabilities spread over the 4 percent of network devices that contained vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency as known exploited vulnerabilities that needed to be remediated by all federal civilian executive branch agencies.
The facility’s IT staff pointed out that the outdated software was allowed based on VA procedure; however, the OIG responded that VA policy states that VA sites should not use unsupported end-of-life software.
Deficient devices that did not meet VA baseline security configurations should have been updated with vendor-supported systems software during the standard system development life-cycle process, the OIG report said. “Upgrading is a proactive strategy to protect network stability and ensure security and privacy.”
Prior audits have repeatedly found deficiencies in VA’s configuration management process by which the Office of Information and Technology (OIT) identifies, classifies, and reduces weaknesses.
The Bedford VA Healthcare System audit inspection team identified 10 instances where databases were hosting personally identifiable information that was not monitored with OIT’s quarterly compliance scans to detect unresolved security issues. While the database servers were re-imaged within the last six months, without quarterly compliance scans management has no assurance that these databases are configured in compliance with VA configuration security baselines, the audit report states. The inspection team evaluated the servers and found approximately 66 percent of the databases did not meet VA’s configuration baselines because they were not scanned for vulnerabilities and were not configured to capture audit logs.
OIT representatives said it is the responsibility of healthcare system personnel to request compliance scans for databases owned and maintained by the facility or their contractors.
Further, the facility could not provide evidence that audit logs for these databases were captured. As a result, user account access to these databases was not monitored for unauthorized access. Without effective database monitoring, there is an increased risk that a data breach of personally identifiable information could occur and go undetected, the report said.
Among the audit team’s recommendations were that VA OIT:
• Implement a process to verify system owners review user account access to locally managed databases.
• Implement effective system life-cycle processes to ensure network devices meet standards mandated by the VA Office of Information and Technology Configuration Control Board.
The assistant secretary for information and technology and chief information officer concurred with these recommendations and several others, and submitted planned corrective actions that are responsive to the intent of each recommendation. To support his request that recommendations 2 and 3 be closed, the assistant secretary provided sufficient evidence showing that the actions taken in response to these recommendations have been completed. Therefore, the OIG considers these recommendations closed.
The VA Office of Inspector General (OIG) also recently contracted with the independent public accounting firm CliftonLarsonAllen LLP to assess the VA’s overall information security program in accordance with the Federal Information Security Modernization Act. FISMA requires agency program officials, chief information officers, and inspectors general to conduct annual reviews of agencies’ information security programs and report the results to the Department of Homeland Security (DHS). DHS uses these results to assist in its oversight responsibilities and prepare an annual report to Congress on agency compliance with FISMA.
According to findings by CliftonLarsonAllen LLP, VA continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program. The firm recommended that VA should do the following:
• Address security-related issues that contributed to the information technology material weakness reported in the FY 2023 audit of VA’s consolidated financial statements.
• Improve deployment of security patches, system upgrades, and system configurations that will mitigate significant security vulnerabilities and enforce a consistent process across all VA facilities.
• Improve performance monitoring to ensure controls are operating as intended at all facilities, and communicate identified security deficiencies to the appropriate personnel so they can mitigate significant security risks.
